qcacld-3.0: Fix buffer overflow in process_tx_info and process_rx_info

Currently data in "pl_tgt_hdr" is used directly from firmware without
any length check which may cause buffer over-read.

To address this issue add length check before accessing data offset

Change-Id: Ic2930fdf7168b79a8522be282b0e1cd19214742a
CRs-Fixed: 2148631

core/dp/htt/htt_t2h.c

@@ -467,7 +467,16 @@ static void htt_t2h_lp_msg_handler(void *context, qdf_nbuf_t htt_t2h_msg,
 #ifndef REMOVE_PKT_LOG
 	case HTT_T2H_MSG_TYPE_PKTLOG:
 	{
-		pktlog_process_fw_msg(msg_word + 1);
+		uint32_t len = qdf_nbuf_len(htt_t2h_msg);
+
+		if (len < sizeof(*msg_word) + sizeof(uint32_t)) {
+			qdf_print("%s: invalid nbuff len \n", __func__);
+			WARN_ON(1);
+			break;
+		}
+
+		/*len is reduced by sizeof(*msg_word)*/
+		pktlog_process_fw_msg(msg_word + 1, len - sizeof(*msg_word));
 		break;
 	}
 #endif

core/dp/txrx/ol_txrx_types.h

@@ -1324,6 +1324,11 @@ struct ol_rx_remote_data {
 	uint8_t mac_id;
 };
 
+struct ol_fw_data {
+	void *data;
+	uint32_t len;
+};
+
 #define INVALID_REORDER_INDEX 0xFFFF
 
 #define SPS_DESC_SIZE 8